Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

trojanspy.tml.smitfraud.com [resolved]

Started by doug_lord , Apr 18 2005 02:43 PM

  • This topic is locked This topic is locked

#1
doug_lord
Posted 18 April 2005 - 02:43 PM

doug_lord

    Member

  • Member
  • PipPip
  • 16 posts
I picked up the smitfraud trojan two days ago, seemed to correlate with my Norton virusscan software advising me hat my subscription had elapsed.
I have the lue screen wallpaper and have run a few downloaded programmes to try to remove to no avail.
The laptop has always been slow but now it is next to stationary.
I'd really appreciate help in removing the virus, removing the blue screen and optimising the system.

Hijack this scan:

Logfile of HijackThis v1.99.1
Scan saved at 9:39:33 PM, on 4/18/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\mm15201518.Stub.exe
C:\WINNT\System32\internat.exe
C:\wp.exe
C:\winnt\ohrxdnu.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\Microsoft Office\OFFICE11\WINWORD.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINNT\System32\svchost.exe
C:\Program Files\AOL Companion\companion.exe
C:\PROGRA~1\WINZIP\wzqkpick.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windows-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://windows-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://windows-find.com/index.htm
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.aol.co.uk/
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windows-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://windows-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [motoin] C:\WINNT\mm15201518.Stub.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - HKCU\..\Run: [jtgljml] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [wymrvfy] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [hesakcb] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ydvxcka] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [bspjlog] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [avqdivq] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [hkokhoj] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ywpenwu] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [sujqtiv] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [eqdolgd] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [kkuqlgl] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ubmndea] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [oiqdlto] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [erfpphm] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [mpmgqvd] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [wjxowql] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [umyagtg] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [fcbmsce] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [pakynre] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [qvuufop] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [mxmshow] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [nptykyg] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [icmvgda] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [caqmvwi] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [ikihvdc] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [hewqaos] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [pswrdvo] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [snhfutt] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [jjxgtvm] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [vtpdses] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [bsgjfye] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [udqxvbl] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [hitasut] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [jmesujl] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [jgutffg] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [teltnsp] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [owurqis] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [qusxoeo] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [hkrttta] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [qskudot] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [pbjitog] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [midmbwv] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [fhrfkxp] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [oaiaedw] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [vvdlmjc] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [rnvwyba] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [ojmpnwk] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [hbsfrhw] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [gggggxo] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [huqcsgj] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [irrccpu] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [uwjvnln] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [epsrjti] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ffihdnc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [oohanrj] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [gisvghe] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jusdyqg] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ukohfei] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tupyrsn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [drasegk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tradkou] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [yccsets] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [iwlbnvs] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vxslbei] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [bitkaqt] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [bwuykvd] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [cfkixgk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [xsqqpoq] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [thbfpfl] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [kibuwdc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [fsqowsf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [evedfyu] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jlyotdv] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [efvahem] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [owccmuo] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [miivuet] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [wkekaan] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [qgssfdo] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vcevdfm] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [nxptycu] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [oqsbtmi] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ppkcjsk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [qqvqiws] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [hkqefaf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [dxeoely] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [pnitcho] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [arrgjre] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ealmrwc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [cpbglvh] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [sderaly] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ixuotoq] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [gxxvlnf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [pdocqpn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jdrqpmh] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [irldsix] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [evpbhwi] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [kmukorg] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [yqwjghr] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tdkibxe] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [uqwcupk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [fxupxlb] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ffryjpl] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [aamwhmn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vagjdka] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [llqqdhj] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [afcwccw] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rpekvgf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oihmkve] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gnhpayx] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [whlinpb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [dsfsofp] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hijxopg] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oscuxms] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [lpihaxe] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [vysgsjv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [nmsgloc] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qwobeto] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [bhjdena] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [eirpatk] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mrbqxia] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hxkiejj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [pirjqon] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mdhfpkf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wutvhqw] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hoowwkq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [eiwodod] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qhiboty] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [inslqeq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jgwkkwj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [orvtosm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wbmhbtg] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [chrohsl] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [amuklml] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rflurmo] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [vgfgnjm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hlrhbao] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wfsdpsf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [xmcoxwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jdwxouv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [xeemdag] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [khkiefh] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [yvtompe] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [tbcflen] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ysulbxi] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [tpamgwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [uoohbgi] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oboluvm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [amkqjqn] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ygxgiid] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [fbcwgnt] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gwdvyel] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ulmnxsv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [uiodpbx] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jeotdpd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oryhxba] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qhlpjcl] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ihxynbh] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ypfgilf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [denqjrj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [pcafyfo] c:\winnt\imujmni.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D13E8F-21D5-4185-A37D-C12078C5BC18}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{33D13E8F-21D5-4185-A37D-C12078C5BC18}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Many thanks
  • 0

Advertisements

#2
g2i2r4
Posted 24 April 2005 - 03:09 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Welcome doug_lord to Geeks to Go!
Sorry for the late reply.
If you’re still looking to resolve this issue, please follow this advise to start with.


Download CWShredder.
Download About:Buster.
Download CleanUp!.
If that doesn’t work, use this link.

Don't run the programs yet, we'll do that later.

***

Update CWShredder
  • Open CWShredder and click I AGREE
  • Click Check For Update
  • Click Fix and then Next, let it fix everything it finds.
  • Close CWShredder
***

Update About:Buster
  • Unzip the contents of AboutBuster.zip and an AboutBuster directory will be created.
  • Navigate to the AboutBuster directory and double-click on AboutBuster.exe.
  • Click "OK" at the prompt with instructions.
  • Click "Update" and then "Check For Update" to begin the update process.
  • If any updates exist please download them by clicking "Download Update" then click the X to close that window.
***

Boot into Safe Mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

***

Please run About:Buster:
  • Click Start and then OK to allow AboutBuster to scan for Alternate Data Streams.
  • Click Yes to allow it to shutdown explorer.exe.
  • It will begin to check your computer for malicious files. If it asks if you would like to do a second pass, allow it to do so.
  • When it has finished, click Save Log. Make sure you save it as I need a copy of it later.
  • Reboot your computer into safe mode again
Run about:buster again following the same instructions as above, this time without the restart at the end.

***

Now run CWShredder. Click I Agree, then Fix and then Next, let it fix everything.

***

Find and doubleclick the file cleanup.

Go to option
Select ‘custom’
Put a check to:* Cookies
* Prefetch
* Temp
* All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

***

Post back in this topic using the button 'add reply'. Post a fresh log using HijackThis. Also post me the logs of About:Buster.
  • 0

#3
doug_lord
Posted 03 May 2005 - 07:19 PM

doug_lord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Sorry for delay:

Followed all instructions.

Hijack this log:

Logfile of HijackThis v1.99.1
Scan saved at 2:12:18 AM, on 5/4/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\Explorer.EXE
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\mm15201518.Stub.exe
C:\WINNT\System32\internat.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windows-find.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windows-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://windows-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [motoin] C:\WINNT\mm15201518.Stub.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - HKCU\..\Run: [jtgljml] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [wymrvfy] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [hesakcb] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ydvxcka] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [bspjlog] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [avqdivq] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [hkokhoj] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ywpenwu] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [sujqtiv] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [eqdolgd] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [kkuqlgl] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ubmndea] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [oiqdlto] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [erfpphm] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [mpmgqvd] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [wjxowql] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [umyagtg] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [fcbmsce] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [pakynre] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [qvuufop] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [mxmshow] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [nptykyg] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [icmvgda] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [caqmvwi] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [ikihvdc] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [hewqaos] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [pswrdvo] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [snhfutt] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [jjxgtvm] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [vtpdses] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [bsgjfye] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [udqxvbl] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [hitasut] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [jmesujl] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [jgutffg] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [teltnsp] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [owurqis] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [qusxoeo] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [hkrttta] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [qskudot] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [pbjitog] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [midmbwv] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [fhrfkxp] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [oaiaedw] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [vvdlmjc] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [rnvwyba] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [ojmpnwk] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [hbsfrhw] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [gggggxo] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [huqcsgj] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [irrccpu] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [uwjvnln] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [epsrjti] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ffihdnc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [oohanrj] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [gisvghe] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jusdyqg] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ukohfei] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tupyrsn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [drasegk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tradkou] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [yccsets] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [iwlbnvs] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vxslbei] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [bitkaqt] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [bwuykvd] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [cfkixgk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [xsqqpoq] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [thbfpfl] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [kibuwdc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [fsqowsf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [evedfyu] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jlyotdv] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [efvahem] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [owccmuo] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [miivuet] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [wkekaan] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [qgssfdo] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vcevdfm] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [nxptycu] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [oqsbtmi] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ppkcjsk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [qqvqiws] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [hkqefaf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [dxeoely] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [pnitcho] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [arrgjre] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ealmrwc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [cpbglvh] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [sderaly] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ixuotoq] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [gxxvlnf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [pdocqpn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jdrqpmh] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [irldsix] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [evpbhwi] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [kmukorg] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [yqwjghr] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tdkibxe] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [uqwcupk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [fxupxlb] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ffryjpl] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [aamwhmn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vagjdka] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [llqqdhj] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [afcwccw] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rpekvgf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oihmkve] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gnhpayx] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [whlinpb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [dsfsofp] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hijxopg] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oscuxms] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [lpihaxe] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [vysgsjv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [nmsgloc] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qwobeto] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [bhjdena] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [eirpatk] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mrbqxia] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hxkiejj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [pirjqon] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mdhfpkf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wutvhqw] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hoowwkq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [eiwodod] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qhiboty] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [inslqeq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jgwkkwj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [orvtosm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wbmhbtg] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [chrohsl] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [amuklml] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rflurmo] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [vgfgnjm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hlrhbao] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wfsdpsf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [xmcoxwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jdwxouv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [xeemdag] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [khkiefh] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [yvtompe] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [tbcflen] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ysulbxi] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [tpamgwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [uoohbgi] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oboluvm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [amkqjqn] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ygxgiid] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [fbcwgnt] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gwdvyel] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ulmnxsv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [uiodpbx] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jeotdpd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oryhxba] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qhlpjcl] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ihxynbh] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ypfgilf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [denqjrj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [pcafyfo] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gfrqsgq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [njqhyln] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [cgjumje] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ljdsurf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [kwrxybb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [yaxioqp] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mlkbmhs] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [kysmeto] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oiqbvwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rntgpqb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qvrixmm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ajmakbk] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [paavjfn] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [axeuyjp] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [wpjixev] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [pnwcjom] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [iviavgl] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ramibwu] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [oxrebmb] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [osonrdl] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ajpcfpt] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [nbbonej] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [shyrsia] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ayfgydw] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [shvmuhe] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ixdtnen] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [njectjw] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [hfvlbjo] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [khhtxlj] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ramyspf] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [jsjvfef] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [yjfdygd] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ytlsqwl] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [lrvctym] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ptacsln] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [wxhtffd] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ixkggsa] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [eohpqwk] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [gvvhbqu] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [udayxsp] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [dnmsbcw] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [cemsnpb] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [yxnxslo] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [hrggukd] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [dhgwqyp] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [fvasaid] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [hnkqnsd] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [rknevxu] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [nftagqo] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [iiddptl] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [cyefhug] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [nccemra] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [lxnrooy] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [fmcwfkq] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [enqkyeq] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [fjekmkd] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [lwqcotb] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [uqbcovj] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [mgxsvch] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [cvuqaey] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [orvetwg] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [sjudger] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [sjpsouo] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [dtqflrv] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [qqpiptd] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [fvimgni] c:\winnt\ejounne.exe
O4 - HKCU\..\Run: [dfrkged] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [djhtbnv] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [ucjnhnx] c:\winnt\ejounne.exe
O4 - HKCU\..\Run: [qqvrspj] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [rkkubkc] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [rehlsww] c:\winnt\ejounne.exe
O4 - HKCU\..\Run: [nmfhyhl] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [rlschev] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [krfsrhy] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [xcluqra] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [xlwmeij] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [jgrsahx] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [qjfpjbr] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [iaylofm] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [sgsfqaw] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [rjeniur] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [plbiyiv] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [aejqtjp] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [knneiyb] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [fmyeurc] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [dpyujba] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [jhnbqus] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [filddik] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [ayelfgb] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [tqutdfw] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [iygbtor] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [lluvtqb] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [nycaakt] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [gmouinj] c:\winnt\vixwkwk.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D13E8F-21D5-4185-A37D-C12078C5BC18}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{33D13E8F-21D5-4185-A37D-C12078C5BC18}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

About buster log::

Scanned at: 10:32:05 PM on: 5/3/2005


-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 26

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!


Also active scan results (found 12 infections but could not remove any)


Incident Status Location

Adware:Adware/DelFinMedia No disinfected C:\WINNT\mm15201518.Stub.exe
Adware:Adware/DelFinMedia No disinfected C:\WINNT\MM1520~1.EXE
Adware:Adware/SaveNow No disinfected Windows Registry
Adware:Adware/nCase No disinfected C:\WINNT\180ax.log
Spyware:Spyware/ISTbar No disinfected Windows Registry
Adware:Adware/IGuard No disinfected C:\WINNT\System32\wldr.dll
Adware:Adware/GoodFind4u No disinfected C:\Documents and Settings\Administrator\Favorites\ Free Spy Cam (Adult only).url
Adware:Adware/BlueScreenWarningNo disinfected C:\wp.bmp
Adware:Adware/GoodFind4u No disinfected C:\Documents and Settings\Administrator\Favorites\ Free Hidden Cams World (Adult only).url
Adware:Adware/GoodFind4u No disinfected C:\Documents and Settings\Administrator\Favorites\ Free Spy Cam (Adult only).url
Adware:Adware/nCase No disinfected C:\WINNT\180ax.log
Adware:Adware/DelFinMedia No disinfected C:\WINNT\mm15201518.Stub.exe
Adware:Adware/IGuard No disinfected C:\WINNT\system32\wldr.dll
Adware:Adware/BlueScreenWarningNo disinfected C:\wp.bmp

Regards

Doug
  • 0

#4
g2i2r4
Posted 04 May 2005 - 10:48 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Download 'SpSeHjfix' to the desktop.
Rightclick a blank part of the desktop and select new folder, call it ‘spfix’.
Unzip the file into that folder.

Disconnect from the net and Close ALL OPEN PROGRAMS.
Run 'SpSeHjfix' and click on "Start Disinfection".
When it's finished it will reboot your computer to finish the cleaning process.
The tool creates a log of the fix which will appear in the folder.

If it doesn't find any of the SE files or any hidden reinstallers, it will say system clean and not go on to next stage.

Now run the CWShredder - Hit The FIX button!

Reboot and post a fresh log using HijackThis and the log that was created by 'SpSeHjfix'.
  • 0

#5
doug_lord
Posted 04 May 2005 - 04:42 PM

doug_lord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
HJT Log:

Logfile of HijackThis v1.99.1
Scan saved at 11:36:00 PM, on 5/4/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\mm15201518.Stub.exe
C:\WINNT\System32\internat.exe
C:\Program Files\AOL Companion\companion.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windows-find.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windows-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://windows-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [motoin] C:\WINNT\mm15201518.Stub.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - HKCU\..\Run: [jtgljml] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [wymrvfy] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [hesakcb] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ydvxcka] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [bspjlog] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [avqdivq] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [hkokhoj] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ywpenwu] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [sujqtiv] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [eqdolgd] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [kkuqlgl] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ubmndea] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [oiqdlto] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [erfpphm] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [mpmgqvd] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [wjxowql] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [umyagtg] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [fcbmsce] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [pakynre] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [qvuufop] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [mxmshow] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [nptykyg] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [icmvgda] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [caqmvwi] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [ikihvdc] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [hewqaos] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [pswrdvo] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [snhfutt] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [jjxgtvm] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [vtpdses] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [bsgjfye] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [udqxvbl] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [hitasut] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [jmesujl] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [jgutffg] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [teltnsp] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [owurqis] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [qusxoeo] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [hkrttta] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [qskudot] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [pbjitog] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [midmbwv] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [fhrfkxp] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [oaiaedw] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [vvdlmjc] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [rnvwyba] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [ojmpnwk] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [hbsfrhw] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [gggggxo] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [huqcsgj] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [irrccpu] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [uwjvnln] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [epsrjti] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ffihdnc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [oohanrj] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [gisvghe] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jusdyqg] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ukohfei] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tupyrsn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [drasegk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tradkou] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [yccsets] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [iwlbnvs] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vxslbei] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [bitkaqt] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [bwuykvd] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [cfkixgk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [xsqqpoq] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [thbfpfl] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [kibuwdc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [fsqowsf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [evedfyu] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jlyotdv] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [efvahem] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [owccmuo] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [miivuet] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [wkekaan] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [qgssfdo] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vcevdfm] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [nxptycu] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [oqsbtmi] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ppkcjsk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [qqvqiws] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [hkqefaf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [dxeoely] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [pnitcho] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [arrgjre] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ealmrwc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [cpbglvh] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [sderaly] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ixuotoq] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [gxxvlnf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [pdocqpn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jdrqpmh] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [irldsix] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [evpbhwi] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [kmukorg] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [yqwjghr] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tdkibxe] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [uqwcupk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [fxupxlb] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ffryjpl] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [aamwhmn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vagjdka] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [llqqdhj] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [afcwccw] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rpekvgf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oihmkve] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gnhpayx] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [whlinpb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [dsfsofp] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hijxopg] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oscuxms] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [lpihaxe] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [vysgsjv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [nmsgloc] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qwobeto] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [bhjdena] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [eirpatk] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mrbqxia] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hxkiejj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [pirjqon] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mdhfpkf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wutvhqw] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hoowwkq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [eiwodod] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qhiboty] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [inslqeq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jgwkkwj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [orvtosm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wbmhbtg] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [chrohsl] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [amuklml] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rflurmo] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [vgfgnjm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hlrhbao] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wfsdpsf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [xmcoxwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jdwxouv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [xeemdag] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [khkiefh] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [yvtompe] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [tbcflen] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ysulbxi] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [tpamgwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [uoohbgi] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oboluvm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [amkqjqn] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ygxgiid] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [fbcwgnt] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gwdvyel] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ulmnxsv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [uiodpbx] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jeotdpd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oryhxba] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qhlpjcl] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ihxynbh] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ypfgilf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [denqjrj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [pcafyfo] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gfrqsgq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [njqhyln] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [cgjumje] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ljdsurf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [kwrxybb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [yaxioqp] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mlkbmhs] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [kysmeto] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oiqbvwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rntgpqb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qvrixmm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ajmakbk] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [paavjfn] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [axeuyjp] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [wpjixev] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [pnwcjom] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [iviavgl] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ramibwu] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [oxrebmb] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [osonrdl] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ajpcfpt] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [nbbonej] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [shyrsia] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ayfgydw] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [shvmuhe] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ixdtnen] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [njectjw] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [hfvlbjo] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [khhtxlj] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ramyspf] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [jsjvfef] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [yjfdygd] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ytlsqwl] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [lrvctym] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ptacsln] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [wxhtffd] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ixkggsa] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [eohpqwk] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [gvvhbqu] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [udayxsp] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [dnmsbcw] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [cemsnpb] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [yxnxslo] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [hrggukd] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [dhgwqyp] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [fvasaid] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [hnkqnsd] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [rknevxu] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [nftagqo] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [iiddptl] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [cyefhug] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [nccemra] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [lxnrooy] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [fmcwfkq] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [enqkyeq] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [fjekmkd] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [lwqcotb] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [uqbcovj] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [mgxsvch] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [cvuqaey] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [orvetwg] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [sjudger] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [sjpsouo] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [dtqflrv] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [qqpiptd] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [fvimgni] c:\winnt\ejounne.exe
O4 - HKCU\..\Run: [dfrkged] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [djhtbnv] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [ucjnhnx] c:\winnt\ejounne.exe
O4 - HKCU\..\Run: [qqvrspj] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [rkkubkc] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [rehlsww] c:\winnt\ejounne.exe
O4 - HKCU\..\Run: [nmfhyhl] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [rlschev] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [krfsrhy] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [xcluqra] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [xlwmeij] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [jgrsahx] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [qjfpjbr] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [iaylofm] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [sgsfqaw] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [rjeniur] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [plbiyiv] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [aejqtjp] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [knneiyb] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [fmyeurc] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [dpyujba] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [jhnbqus] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [filddik] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [ayelfgb] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [tqutdfw] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [iygbtor] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [lluvtqb] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [nycaakt] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [gmouinj] c:\winnt\vixwkwk.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe




SPSeHjFix Log:

(5/4/05 11:20:10 PM) SPSeHjFix started v1.1.2
(5/4/05 11:20:10 PM) OS: Win2000 Service Pack 3 (5.0.2195)
(5/4/05 11:20:10 PM) Language: english
(5/4/05 11:20:10 PM) Win-Path: C:\WINNT
(5/4/05 11:20:10 PM) System-Path: C:\WINNT\System32
(5/4/05 11:20:10 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/4/05 11:20:36 PM) Disinfection started
(5/4/05 11:20:36 PM) Bad-Dll(IEP): (not found)
(5/4/05 11:20:37 PM) Bad-Dll(IEP) in BHO: (not found)
(5/4/05 11:20:38 PM) UBF: 8 - UBB: 5 - UBR: 267
(5/4/05 11:20:38 PM) UBF: 8 - UBB: 5 - UBR: 267
(5/4/05 11:20:38 PM) Bad IE-pages: (none)
(5/4/05 11:20:38 PM) Stealth-String not found
(5/4/05 11:20:38 PM) Not infected->END


(5/4/05 11:22:35 PM) SPSeHjFix started v1.1.2
(5/4/05 11:22:35 PM) OS: Win2000 Service Pack 3 (5.0.2195)
(5/4/05 11:22:35 PM) Language: english
(5/4/05 11:22:35 PM) Win-Path: C:\WINNT
(5/4/05 11:22:35 PM) System-Path: C:\WINNT\System32
(5/4/05 11:22:35 PM) Temp-Path: C:\DOCUME~1\ADMINI~1\LOCALS~1\Temp\
(5/4/05 11:22:38 PM) Disinfection started
(5/4/05 11:22:38 PM) Bad-Dll(IEP): (not found)
(5/4/05 11:22:38 PM) Bad-Dll(IEP) in BHO: (not found)
(5/4/05 11:22:38 PM) UBF: 8 - UBB: 5 - UBR: 267
(5/4/05 11:22:38 PM) UBF: 8 - UBB: 5 - UBR: 267
(5/4/05 11:22:38 PM) Bad IE-pages: (none)
(5/4/05 11:22:38 PM) Stealth-String not found
(5/4/05 11:22:38 PM) Not infected->END

CWShredder found nothing

Regards

Doug
  • 0

#6
g2i2r4
Posted 05 May 2005 - 07:00 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
For the duration of this fix, please disable AOL's spyware protection program. It may think that what we are doing now is an attack and stop the changes.

***

You have Spybot S&D's protection running which is good, but we need you to disable it for the remainder of the fix as it will interfere with the registry changes being made.
Open Spybot S&D in advanced mode, click Tools > Resident, and remove the check from "Resident Tea-Timer" and 'SD helper'. Reboot after unchecking the entry.

***

Please read these instructions carefully. You may want to print them. Copy the text to a Notepad file and save it to your desktop! We will need the file later.
Be sure to follow ALL instructions!

***

We need to make sure all hidden files are showing so please:* Click Start.
* Open My Computer.
* Select the Tools menu and click Folder Options.
* Select the View Tab.
* Under the Hidden files and folders heading select Show hidden files and folders.
* Uncheck the Hide protected operating system files (recommended) option.
* Click Yes to confirm.
* Click OK.
***

Open HijackThis
Go to ‘config’
Go to ‘misc tools’
Press the button ‘open uninstall manager’
In the list find:
Security IGuard
Virtual Maid
Search Maid
Press ‘delete this item’.
Press ‘back’

***

Go to ‘config’
Go to ‘misc tools’
Press ‘open process manager’
Select the process, press ‘kill process’ (and repeat this if necessary):
C:\WINNT\mm15201518.Stub.exe
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\Winnt\System32\wldr.dll
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe
Exit HijackThis.

***

1) Please download the Killbox.
Unzip it to the desktop but do NOT run it yet.

2) Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

3) Once in Safe Mode, please run Killbox.

4) Select "Delete on Reboot".

5) Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\Winnt\System32\wldr.dll
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe
C:\WINNT\mm15201518.Stub.exe
c:\winnt\ohrxdnu.exe
c:\winnt\kadtfeo.exe
c:\winnt\cnurihq.exe
c:\winnt\mwiswfo.exe
c:\winnt\imujmni.exe
c:\winnt\bghxjvw.exe
c:\winnt\bqeqaso.exe
c:\winnt\umetjwa.exe
c:\winnt\wbednct.exe
c:\winnt\ejounne.exe
c:\winnt\vixwkwk.exe

6) Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

7) Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot.

***

Using Windows Explorer, delete the following (please do NOT try to find them by "search" because they will not show up that way)

FOLDERS to delete (in bold) if found:

C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security Iguard

Reboot into normal mode.

***

* Download and install Registrar Lite.
* Double click the purple Registrar Lite icon on your desktop.
* Copy the line in the box below and paste it into the "Address" field (located at the top) of the program:
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies
* Click the "Go" button.
* It will take you into the "Policies" folder.
* Locate the "System" folder (in the right panel)
* If found, right-click on the System folder and go to Delete
* Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

***

Download Hoster
Unzip it to a convenient place and open the program.
Choose "Restore Original Hosts" and press "OK".
Close the program.

***

Download: deldomains.
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

***

There may also be a number of icons in the system folder that don't belong. Here are some examples:

casino.ico
date.ico
games.ico
mobile.ico
network.ico
pharm.ico
pharm2.ico
scanner.ico
spam.ico
spyware.ico

***

Download CleanUp!.
If that doesn’t work, use this link.

Go to options
Select ‘custom’
Put a check to:* empty recycle bins
* delete prefetch files
* scan local drives for temporary files
* CleanUp! All users.
Press 'cleanup!'

Once it's done, log off and log on again. This will remove files that were in use during the scan.

***

Right click here and click Save Target As. Save the file to your desktop. Double click on the file you saved to run it. It will ask you if you want to merge it with your registry. Click Yes and then Ok on the confirmation. You will have to reboot for this to take effect

***

Download this scanner:
ewido.
Install it and doubleclick the icon on your desktop.
Let it update.
Then, let it do a full run, and copy the log. Past it to a blank Notepad file and save it to post here.
Than let it rerun. Save that log too.

***

Post back here in this topic using the button ‘add reply’:
The results from the AV scan and a fresh log using HijackThis.

Edited by g2i2r4, 06 May 2005 - 10:53 AM.

  • 0

#7
doug_lord
Posted 05 May 2005 - 05:42 PM

doug_lord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I have got as far as attempting to remove the programmes using explorere and have decided to call a halt for two reasons:
One it is late and I'm falling asleep.
Two the instructions I have attempted to follow have not all been possible:

The hidden files were already showing

HJT could not see any of
Security IGuard
Virtual Maid
Search Maid
And only found the C:\WINNT\mm15201518.Stub.exe process.

Killbox may or may not have worked

None of the files listed were visible in explorer inluding Log Files
NB I cannot follow the path C: Windows , System 32 is in WINNT.

I am hoping that all of this means that my system is cleaner than we thought but would like your guidance before I proceed.

Good night

Regards

Doug

PS I will donate if you help me conclude this matter. Thanks.
  • 0

#8
g2i2r4
Posted 06 May 2005 - 10:51 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Did you follow the advise for killbox and all that is mentioned after that?
I edited the advise a bit, please save it again and follow it through.

When you are done, please post me a fresh log using HijackThis and the scanresults for Ewido.
  • 0

#9
doug_lord
Posted 06 May 2005 - 06:35 PM

doug_lord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
I did follow the advise for Killbox, pretty sure it ran fine.
Run two online scans and Ewido and they all came up clean (after 3 hours).
I believe I may be cured.
HJT Scan:

Logfile of HijackThis v1.99.1
Scan saved at 1:32:57 AM, on 5/7/2005
Platform: Windows 2000 SP3 (WinNT 5.00.2195)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINNT\system32\regsvc.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\internat.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\WINNT\System32\wuauclt.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\HJT\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windows-find.com/sp.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windows-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://windows-find.com/index.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htm
O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll
O2 - BHO: CNisExtBho Class - {9ECB9560-04F9-4bbc-943D-298DDF1699E1} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: CNavExtBho Class - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: @msdxmLC.dll,-1@1033,&Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINNT\System32\msdxm.ocx
O3 - Toolbar: Web assistant - {0B53EAC3-8D69-4b9e-9B19-A37C9A5676A7} - C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [Synchronization Manager] mobsync.exe /logon
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [SSC_UserPrompt] C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [motoin] C:\WINNT\mm15201518.Stub.exe
O4 - HKCU\..\Run: [internat.exe] internat.exe
O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
O4 - HKCU\..\Run: [jtgljml] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [wymrvfy] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [hesakcb] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ydvxcka] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [bspjlog] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [avqdivq] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [hkokhoj] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ywpenwu] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [sujqtiv] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [eqdolgd] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [kkuqlgl] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [ubmndea] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [oiqdlto] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [erfpphm] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [mpmgqvd] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [wjxowql] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [umyagtg] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [fcbmsce] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [pakynre] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [qvuufop] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [mxmshow] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [nptykyg] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [icmvgda] c:\winnt\ohrxdnu.exe
O4 - HKCU\..\Run: [caqmvwi] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [ikihvdc] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [hewqaos] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [pswrdvo] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [snhfutt] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [jjxgtvm] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [vtpdses] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [bsgjfye] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [udqxvbl] c:\winnt\kadtfeo.exe
O4 - HKCU\..\Run: [hitasut] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [jmesujl] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [jgutffg] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [teltnsp] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [owurqis] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [qusxoeo] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [hkrttta] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [qskudot] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [pbjitog] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [midmbwv] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [fhrfkxp] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [oaiaedw] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [vvdlmjc] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [rnvwyba] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [ojmpnwk] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [hbsfrhw] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [gggggxo] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [huqcsgj] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [irrccpu] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [uwjvnln] c:\winnt\cnurihq.exe
O4 - HKCU\..\Run: [epsrjti] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ffihdnc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [oohanrj] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [gisvghe] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jusdyqg] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ukohfei] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tupyrsn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [drasegk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tradkou] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [yccsets] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [iwlbnvs] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vxslbei] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [bitkaqt] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [bwuykvd] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [cfkixgk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [xsqqpoq] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [thbfpfl] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [kibuwdc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [fsqowsf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [evedfyu] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jlyotdv] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [efvahem] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [owccmuo] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [miivuet] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [wkekaan] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [qgssfdo] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vcevdfm] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [nxptycu] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [oqsbtmi] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ppkcjsk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [qqvqiws] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [hkqefaf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [dxeoely] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [pnitcho] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [arrgjre] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ealmrwc] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [cpbglvh] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [sderaly] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ixuotoq] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [gxxvlnf] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [pdocqpn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [jdrqpmh] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [irldsix] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [evpbhwi] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [kmukorg] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [yqwjghr] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [tdkibxe] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [uqwcupk] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [fxupxlb] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [ffryjpl] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [aamwhmn] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [vagjdka] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [llqqdhj] c:\winnt\mwiswfo.exe
O4 - HKCU\..\Run: [afcwccw] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rpekvgf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oihmkve] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gnhpayx] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [whlinpb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [dsfsofp] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hijxopg] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oscuxms] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [lpihaxe] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [vysgsjv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [nmsgloc] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qwobeto] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [bhjdena] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [eirpatk] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mrbqxia] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hxkiejj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [pirjqon] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mdhfpkf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wutvhqw] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hoowwkq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [eiwodod] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qhiboty] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [inslqeq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jgwkkwj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [orvtosm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wbmhbtg] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [chrohsl] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [amuklml] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rflurmo] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [vgfgnjm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [hlrhbao] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [wfsdpsf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [xmcoxwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jdwxouv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [xeemdag] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [khkiefh] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [yvtompe] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [tbcflen] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ysulbxi] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [tpamgwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [uoohbgi] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oboluvm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [amkqjqn] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ygxgiid] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [fbcwgnt] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gwdvyel] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ulmnxsv] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [uiodpbx] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [jeotdpd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oryhxba] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qhlpjcl] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ihxynbh] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ypfgilf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [denqjrj] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [pcafyfo] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [gfrqsgq] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [njqhyln] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [cgjumje] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ljdsurf] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [kwrxybb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [yaxioqp] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [mlkbmhs] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [kysmeto] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [oiqbvwd] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [rntgpqb] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [qvrixmm] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [ajmakbk] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [paavjfn] c:\winnt\imujmni.exe
O4 - HKCU\..\Run: [axeuyjp] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [wpjixev] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [pnwcjom] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [iviavgl] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ramibwu] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [oxrebmb] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [osonrdl] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ajpcfpt] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [nbbonej] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [shyrsia] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ayfgydw] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [shvmuhe] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ixdtnen] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [njectjw] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [hfvlbjo] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [khhtxlj] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ramyspf] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [jsjvfef] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [yjfdygd] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ytlsqwl] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [lrvctym] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ptacsln] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [wxhtffd] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [ixkggsa] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [eohpqwk] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [gvvhbqu] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [udayxsp] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [dnmsbcw] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [cemsnpb] c:\winnt\bghxjvw.exe
O4 - HKCU\..\Run: [yxnxslo] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [hrggukd] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [dhgwqyp] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [fvasaid] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [hnkqnsd] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [rknevxu] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [nftagqo] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [iiddptl] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [cyefhug] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [nccemra] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [lxnrooy] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [fmcwfkq] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [enqkyeq] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [fjekmkd] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [lwqcotb] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [uqbcovj] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [mgxsvch] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [cvuqaey] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [orvetwg] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [sjudger] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [sjpsouo] c:\winnt\bqeqaso.exe
O4 - HKCU\..\Run: [dtqflrv] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [qqpiptd] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [fvimgni] c:\winnt\ejounne.exe
O4 - HKCU\..\Run: [dfrkged] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [djhtbnv] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [ucjnhnx] c:\winnt\ejounne.exe
O4 - HKCU\..\Run: [qqvrspj] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [rkkubkc] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [rehlsww] c:\winnt\ejounne.exe
O4 - HKCU\..\Run: [nmfhyhl] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [rlschev] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [krfsrhy] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [xcluqra] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [xlwmeij] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [jgrsahx] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [qjfpjbr] c:\winnt\wbednct.exe
O4 - HKCU\..\Run: [iaylofm] c:\winnt\umetjwa.exe
O4 - HKCU\..\Run: [sgsfqaw] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [rjeniur] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [plbiyiv] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [aejqtjp] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [knneiyb] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [fmyeurc] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [dpyujba] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [jhnbqus] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [filddik] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [ayelfgb] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [tqutdfw] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [iygbtor] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [lluvtqb] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [nycaakt] c:\winnt\vixwkwk.exe
O4 - HKCU\..\Run: [gmouinj] c:\winnt\vixwkwk.exe
O4 - Global Startup: AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
O4 - Global Startup: AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
O4 - Global Startup: Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
O4 - Global Startup: WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINNT\System32\Shdocvw.dll
O9 - Extra button: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)
O14 - IERESET.INF: START_PAGE_URL=http://www.aol.co.uk/
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{33D13E8F-21D5-4185-A37D-C12078C5BC18}: NameServer = 205.188.146.145
O17 - HKLM\System\CS1\Services\Tcpip\..\{33D13E8F-21D5-4185-A37D-C12078C5BC18}: NameServer = 205.188.146.145
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Logical Disk Manager Administrative Service (dmadmin) - VERITAS Software Corp. - C:\WINNT\System32\dmadmin.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Regards

Doug
  • 0

#10
g2i2r4
Posted 07 May 2005 - 07:03 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
You are still very much infected.

All security programs should be disabled during fixing, or they will prevent us from getting it clean.

***

Open HijackThis.
Close all programs leaving only HijackThis running. Place a check against each of the following, making sure you get them all and not any others by mistake:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://windows-find.com/sp.htm

R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://windows-find.com/sp.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://windows-find.com/index.htm

R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,SearchURL = http://dr-search4u.com/sp.htm

O2 - BHO: (no name) - {02478D38-C3F9-4efb-9B51-7695ECA05670} - (no file)

O4 - HKLM\..\Run: [motoin] C:\WINNT\mm15201518.Stub.exe

O4 - HKCU\..\Run: [WindowsFY] C:\wp.exe
and all items up until
O4 - HKCU\..\Run: [jtgljml] c:\winnt\ohrxdnu.exe

O9 - Extra button: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)

O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {17970D0C-E5A2-42AD-AC9B-B3C6F12C1FCD} - (no file) (HKCU)

Click on Fix Checked when finished and exit HijackThis.

***

Then please reboot into Safe Mode by restarting your computer and pressing F8 as your computer is booting up. Then select the Safe Mode option.

Once in Safe Mode, please run Killbox.

Select "Delete on Reboot".

Open the text file with these instructions in it, and copy the file names below to the clipboard by highlighting them and pressing Control-C:

C:\wp.exe
C:\wp.bmp
C:\Winnt\sites.ini
C:\Winnt\popuper.exe
C:\Winnt\System32\wldr.dll
C:\Winnt\System32\helper.exe
C:\Winnt\System32\intmonp.exe
C:\Winnt\System32\msmsgs.exe
C:\Winnt\System32\ole32vbs.exe
C:\Winnt\system32\msole32.exe
C:\WINNT\mm15201518.Stub.exe
c:\winnt\ohrxdnu.exe
c:\winnt\kadtfeo.exe
c:\winnt\cnurihq.exe
c:\winnt\mwiswfo.exe
c:\winnt\imujmni.exe
c:\winnt\bghxjvw.exe
c:\winnt\bqeqaso.exe
c:\winnt\umetjwa.exe
c:\winnt\wbednct.exe
c:\winnt\ejounne.exe
c:\winnt\vixwkwk.exe

Return to Killbox, go to the File menu, and choose "Paste from Clipboard".

Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

***

Right click here and click Save Target As. Save the file to your desktop. Double click on the file you saved to run it. It will ask you if you want to merge it with your registry. Click Yes and then Ok on the confirmation. You will have to reboot for this to take effect.

***

* Please click this link to download Silent Runners.
* Save it to the desktop.
* Run Silent Runner's by doubleclicking the "Silent Runners" icon on your desktop.
* You will see a text file appear on the desktop - it's not done yet, just let it run (it won't appear to be doing anything!)
* Once you receive the prompt "All Done!", double-click on the new text file on the desktop and copy that entire log and paste it here.

*NOTE* If you receive any warning message about scripts, please choose to allow the script to run.

***

Open Hijackthis, click "Open the Misc Tools section"
Next to "Generate StartupList log", place a check next to "List also minor sections" (full) and "List empty sections (complete).
Then click "Generate StartupList log"
Click "Yes" to the box that pops-up. It will open a notepad file.
Copy and past the content of that file here in your answer.
  • 0

Advertisements

#11
doug_lord
Posted 08 May 2005 - 08:48 AM

doug_lord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Hit a problem with Killbox.

Keep getting this message: Pendingfilerenamesoperation registry data has been removed by external process .

Tried loading Missing File but don't know how to open the mscomctl.ocx file that it installs.

Sorry

Doug
  • 0

#12
doug_lord
Posted 08 May 2005 - 08:59 AM

doug_lord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
Should have mentioned that it is possible my Norton has blocked Killbox's registry.
I disabled all my virus software before running the sequense but it still didn't work.

Doug
  • 0

#13
g2i2r4
Posted 08 May 2005 - 09:00 AM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
This only means one or more files we pasted in are already gone. Just reboot the computer and move on.
  • 0

#14
doug_lord
Posted 08 May 2005 - 12:15 PM

doug_lord

    Member

  • Topic Starter
  • Member
  • PipPip
  • 16 posts
All done:

"Silent Runners.vbs", revision 36, http://www.silentrunners.org/
Operating System: Windows 2000
Output limited to non-default values, except where indicated by "{++}"


Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"internat.exe" = "internat.exe" [MS]
"wymrvfy" = "c:\winnt\ohrxdnu.exe" [file not found]
"hesakcb" = "c:\winnt\ohrxdnu.exe" [file not found]
"ydvxcka" = "c:\winnt\ohrxdnu.exe" [file not found]
"bspjlog" = "c:\winnt\ohrxdnu.exe" [file not found]
"avqdivq" = "c:\winnt\ohrxdnu.exe" [file not found]
"hkokhoj" = "c:\winnt\ohrxdnu.exe" [file not found]
"ywpenwu" = "c:\winnt\ohrxdnu.exe" [file not found]
"sujqtiv" = "c:\winnt\ohrxdnu.exe" [file not found]
"eqdolgd" = "c:\winnt\ohrxdnu.exe" [file not found]
"kkuqlgl" = "c:\winnt\ohrxdnu.exe" [file not found]
"ubmndea" = "c:\winnt\ohrxdnu.exe" [file not found]
"oiqdlto" = "c:\winnt\ohrxdnu.exe" [file not found]
"erfpphm" = "c:\winnt\ohrxdnu.exe" [file not found]
"mpmgqvd" = "c:\winnt\ohrxdnu.exe" [file not found]
"wjxowql" = "c:\winnt\ohrxdnu.exe" [file not found]
"umyagtg" = "c:\winnt\ohrxdnu.exe" [file not found]
"fcbmsce" = "c:\winnt\ohrxdnu.exe" [file not found]
"pakynre" = "c:\winnt\ohrxdnu.exe" [file not found]
"qvuufop" = "c:\winnt\ohrxdnu.exe" [file not found]
"mxmshow" = "c:\winnt\ohrxdnu.exe" [file not found]
"nptykyg" = "c:\winnt\ohrxdnu.exe" [file not found]
"icmvgda" = "c:\winnt\ohrxdnu.exe" [file not found]
"caqmvwi" = "c:\winnt\kadtfeo.exe" [file not found]
"ikihvdc" = "c:\winnt\kadtfeo.exe" [file not found]
"hewqaos" = "c:\winnt\kadtfeo.exe" [file not found]
"pswrdvo" = "c:\winnt\kadtfeo.exe" [file not found]
"snhfutt" = "c:\winnt\kadtfeo.exe" [file not found]
"jjxgtvm" = "c:\winnt\kadtfeo.exe" [file not found]
"vtpdses" = "c:\winnt\kadtfeo.exe" [file not found]
"bsgjfye" = "c:\winnt\kadtfeo.exe" [file not found]
"udqxvbl" = "c:\winnt\kadtfeo.exe" [file not found]
"hitasut" = "c:\winnt\cnurihq.exe" [file not found]
"jmesujl" = "c:\winnt\cnurihq.exe" [file not found]
"jgutffg" = "c:\winnt\cnurihq.exe" [file not found]
"teltnsp" = "c:\winnt\cnurihq.exe" [file not found]
"owurqis" = "c:\winnt\cnurihq.exe" [file not found]
"qusxoeo" = "c:\winnt\cnurihq.exe" [file not found]
"hkrttta" = "c:\winnt\cnurihq.exe" [file not found]
"qskudot" = "c:\winnt\cnurihq.exe" [file not found]
"pbjitog" = "c:\winnt\cnurihq.exe" [file not found]
"midmbwv" = "c:\winnt\cnurihq.exe" [file not found]
"fhrfkxp" = "c:\winnt\cnurihq.exe" [file not found]
"oaiaedw" = "c:\winnt\cnurihq.exe" [file not found]
"vvdlmjc" = "c:\winnt\cnurihq.exe" [file not found]
"rnvwyba" = "c:\winnt\cnurihq.exe" [file not found]
"ojmpnwk" = "c:\winnt\cnurihq.exe" [file not found]
"hbsfrhw" = "c:\winnt\cnurihq.exe" [file not found]
"gggggxo" = "c:\winnt\cnurihq.exe" [file not found]
"huqcsgj" = "c:\winnt\cnurihq.exe" [file not found]
"irrccpu" = "c:\winnt\cnurihq.exe" [file not found]
"uwjvnln" = "c:\winnt\cnurihq.exe" [file not found]
"epsrjti" = "c:\winnt\mwiswfo.exe" [file not found]
"ffihdnc" = "c:\winnt\mwiswfo.exe" [file not found]
"oohanrj" = "c:\winnt\mwiswfo.exe" [file not found]
"gisvghe" = "c:\winnt\mwiswfo.exe" [file not found]
"jusdyqg" = "c:\winnt\mwiswfo.exe" [file not found]
"ukohfei" = "c:\winnt\mwiswfo.exe" [file not found]
"tupyrsn" = "c:\winnt\mwiswfo.exe" [file not found]
"drasegk" = "c:\winnt\mwiswfo.exe" [file not found]
"tradkou" = "c:\winnt\mwiswfo.exe" [file not found]
"yccsets" = "c:\winnt\mwiswfo.exe" [file not found]
"iwlbnvs" = "c:\winnt\mwiswfo.exe" [file not found]
"vxslbei" = "c:\winnt\mwiswfo.exe" [file not found]
"bitkaqt" = "c:\winnt\mwiswfo.exe" [file not found]
"bwuykvd" = "c:\winnt\mwiswfo.exe" [file not found]
"cfkixgk" = "c:\winnt\mwiswfo.exe" [file not found]
"xsqqpoq" = "c:\winnt\mwiswfo.exe" [file not found]
"thbfpfl" = "c:\winnt\mwiswfo.exe" [file not found]
"kibuwdc" = "c:\winnt\mwiswfo.exe" [file not found]
"fsqowsf" = "c:\winnt\mwiswfo.exe" [file not found]
"evedfyu" = "c:\winnt\mwiswfo.exe" [file not found]
"jlyotdv" = "c:\winnt\mwiswfo.exe" [file not found]
"efvahem" = "c:\winnt\mwiswfo.exe" [file not found]
"owccmuo" = "c:\winnt\mwiswfo.exe" [file not found]
"miivuet" = "c:\winnt\mwiswfo.exe" [file not found]
"wkekaan" = "c:\winnt\mwiswfo.exe" [file not found]
"qgssfdo" = "c:\winnt\mwiswfo.exe" [file not found]
"vcevdfm" = "c:\winnt\mwiswfo.exe" [file not found]
"nxptycu" = "c:\winnt\mwiswfo.exe" [file not found]
"oqsbtmi" = "c:\winnt\mwiswfo.exe" [file not found]
"ppkcjsk" = "c:\winnt\mwiswfo.exe" [file not found]
"qqvqiws" = "c:\winnt\mwiswfo.exe" [file not found]
"hkqefaf" = "c:\winnt\mwiswfo.exe" [file not found]
"dxeoely" = "c:\winnt\mwiswfo.exe" [file not found]
"pnitcho" = "c:\winnt\mwiswfo.exe" [file not found]
"arrgjre" = "c:\winnt\mwiswfo.exe" [file not found]
"ealmrwc" = "c:\winnt\mwiswfo.exe" [file not found]
"cpbglvh" = "c:\winnt\mwiswfo.exe" [file not found]
"sderaly" = "c:\winnt\mwiswfo.exe" [file not found]
"ixuotoq" = "c:\winnt\mwiswfo.exe" [file not found]
"gxxvlnf" = "c:\winnt\mwiswfo.exe" [file not found]
"pdocqpn" = "c:\winnt\mwiswfo.exe" [file not found]
"jdrqpmh" = "c:\winnt\mwiswfo.exe" [file not found]
"irldsix" = "c:\winnt\mwiswfo.exe" [file not found]
"evpbhwi" = "c:\winnt\mwiswfo.exe" [file not found]
"kmukorg" = "c:\winnt\mwiswfo.exe" [file not found]
"yqwjghr" = "c:\winnt\mwiswfo.exe" [file not found]
"tdkibxe" = "c:\winnt\mwiswfo.exe" [file not found]
"uqwcupk" = "c:\winnt\mwiswfo.exe" [file not found]
"fxupxlb" = "c:\winnt\mwiswfo.exe" [file not found]
"ffryjpl" = "c:\winnt\mwiswfo.exe" [file not found]
"aamwhmn" = "c:\winnt\mwiswfo.exe" [file not found]
"vagjdka" = "c:\winnt\mwiswfo.exe" [file not found]
"llqqdhj" = "c:\winnt\mwiswfo.exe" [file not found]
"afcwccw" = "c:\winnt\imujmni.exe" [file not found]
"rpekvgf" = "c:\winnt\imujmni.exe" [file not found]
"oihmkve" = "c:\winnt\imujmni.exe" [file not found]
"gnhpayx" = "c:\winnt\imujmni.exe" [file not found]
"whlinpb" = "c:\winnt\imujmni.exe" [file not found]
"dsfsofp" = "c:\winnt\imujmni.exe" [file not found]
"hijxopg" = "c:\winnt\imujmni.exe" [file not found]
"oscuxms" = "c:\winnt\imujmni.exe" [file not found]
"lpihaxe" = "c:\winnt\imujmni.exe" [file not found]
"vysgsjv" = "c:\winnt\imujmni.exe" [file not found]
"nmsgloc" = "c:\winnt\imujmni.exe" [file not found]
"qwobeto" = "c:\winnt\imujmni.exe" [file not found]
"bhjdena" = "c:\winnt\imujmni.exe" [file not found]
"eirpatk" = "c:\winnt\imujmni.exe" [file not found]
"mrbqxia" = "c:\winnt\imujmni.exe" [file not found]
"hxkiejj" = "c:\winnt\imujmni.exe" [file not found]
"pirjqon" = "c:\winnt\imujmni.exe" [file not found]
"mdhfpkf" = "c:\winnt\imujmni.exe" [file not found]
"wutvhqw" = "c:\winnt\imujmni.exe" [file not found]
"hoowwkq" = "c:\winnt\imujmni.exe" [file not found]
"eiwodod" = "c:\winnt\imujmni.exe" [file not found]
"qhiboty" = "c:\winnt\imujmni.exe" [file not found]
"inslqeq" = "c:\winnt\imujmni.exe" [file not found]
"jgwkkwj" = "c:\winnt\imujmni.exe" [file not found]
"orvtosm" = "c:\winnt\imujmni.exe" [file not found]
"wbmhbtg" = "c:\winnt\imujmni.exe" [file not found]
"chrohsl" = "c:\winnt\imujmni.exe" [file not found]
"amuklml" = "c:\winnt\imujmni.exe" [file not found]
"rflurmo" = "c:\winnt\imujmni.exe" [file not found]
"vgfgnjm" = "c:\winnt\imujmni.exe" [file not found]
"hlrhbao" = "c:\winnt\imujmni.exe" [file not found]
"wfsdpsf" = "c:\winnt\imujmni.exe" [file not found]
"xmcoxwd" = "c:\winnt\imujmni.exe" [file not found]
"jdwxouv" = "c:\winnt\imujmni.exe" [file not found]
"xeemdag" = "c:\winnt\imujmni.exe" [file not found]
"khkiefh" = "c:\winnt\imujmni.exe" [file not found]
"yvtompe" = "c:\winnt\imujmni.exe" [file not found]
"tbcflen" = "c:\winnt\imujmni.exe" [file not found]
"ysulbxi" = "c:\winnt\imujmni.exe" [file not found]
"tpamgwd" = "c:\winnt\imujmni.exe" [file not found]
"uoohbgi" = "c:\winnt\imujmni.exe" [file not found]
"oboluvm" = "c:\winnt\imujmni.exe" [file not found]
"amkqjqn" = "c:\winnt\imujmni.exe" [file not found]
"ygxgiid" = "c:\winnt\imujmni.exe" [file not found]
"fbcwgnt" = "c:\winnt\imujmni.exe" [file not found]
"gwdvyel" = "c:\winnt\imujmni.exe" [file not found]
"ulmnxsv" = "c:\winnt\imujmni.exe" [file not found]
"uiodpbx" = "c:\winnt\imujmni.exe" [file not found]
"jeotdpd" = "c:\winnt\imujmni.exe" [file not found]
"oryhxba" = "c:\winnt\imujmni.exe" [file not found]
"qhlpjcl" = "c:\winnt\imujmni.exe" [file not found]
"ihxynbh" = "c:\winnt\imujmni.exe" [file not found]
"ypfgilf" = "c:\winnt\imujmni.exe" [file not found]
"denqjrj" = "c:\winnt\imujmni.exe" [file not found]
"pcafyfo" = "c:\winnt\imujmni.exe" [file not found]
"gfrqsgq" = "c:\winnt\imujmni.exe" [file not found]
"njqhyln" = "c:\winnt\imujmni.exe" [file not found]
"cgjumje" = "c:\winnt\imujmni.exe" [file not found]
"ljdsurf" = "c:\winnt\imujmni.exe" [file not found]
"kwrxybb" = "c:\winnt\imujmni.exe" [file not found]
"yaxioqp" = "c:\winnt\imujmni.exe" [file not found]
"mlkbmhs" = "c:\winnt\imujmni.exe" [file not found]
"kysmeto" = "c:\winnt\imujmni.exe" [file not found]
"oiqbvwd" = "c:\winnt\imujmni.exe" [file not found]
"rntgpqb" = "c:\winnt\imujmni.exe" [file not found]
"qvrixmm" = "c:\winnt\imujmni.exe" [file not found]
"ajmakbk" = "c:\winnt\imujmni.exe" [file not found]
"paavjfn" = "c:\winnt\imujmni.exe" [file not found]
"axeuyjp" = "c:\winnt\bghxjvw.exe" [file not found]
"wpjixev" = "c:\winnt\bghxjvw.exe" [file not found]
"pnwcjom" = "c:\winnt\bghxjvw.exe" [file not found]
"iviavgl" = "c:\winnt\bghxjvw.exe" [file not found]
"ramibwu" = "c:\winnt\bghxjvw.exe" [file not found]
"oxrebmb" = "c:\winnt\bghxjvw.exe" [file not found]
"osonrdl" = "c:\winnt\bghxjvw.exe" [file not found]
"ajpcfpt" = "c:\winnt\bghxjvw.exe" [file not found]
"nbbonej" = "c:\winnt\bghxjvw.exe" [file not found]
"shyrsia" = "c:\winnt\bghxjvw.exe" [file not found]
"ayfgydw" = "c:\winnt\bghxjvw.exe" [file not found]
"shvmuhe" = "c:\winnt\bghxjvw.exe" [file not found]
"ixdtnen" = "c:\winnt\bghxjvw.exe" [file not found]
"njectjw" = "c:\winnt\bghxjvw.exe" [file not found]
"hfvlbjo" = "c:\winnt\bghxjvw.exe" [file not found]
"khhtxlj" = "c:\winnt\bghxjvw.exe" [file not found]
"ramyspf" = "c:\winnt\bghxjvw.exe" [file not found]
"jsjvfef" = "c:\winnt\bghxjvw.exe" [file not found]
"yjfdygd" = "c:\winnt\bghxjvw.exe" [file not found]
"ytlsqwl" = "c:\winnt\bghxjvw.exe" [file not found]
"lrvctym" = "c:\winnt\bghxjvw.exe" [file not found]
"ptacsln" = "c:\winnt\bghxjvw.exe" [file not found]
"wxhtffd" = "c:\winnt\bghxjvw.exe" [file not found]
"ixkggsa" = "c:\winnt\bghxjvw.exe" [file not found]
"eohpqwk" = "c:\winnt\bghxjvw.exe" [file not found]
"gvvhbqu" = "c:\winnt\bghxjvw.exe" [file not found]
"udayxsp" = "c:\winnt\bghxjvw.exe" [file not found]
"dnmsbcw" = "c:\winnt\bghxjvw.exe" [file not found]
"cemsnpb" = "c:\winnt\bghxjvw.exe" [file not found]
"yxnxslo" = "c:\winnt\bqeqaso.exe" [file not found]
"hrggukd" = "c:\winnt\bqeqaso.exe" [file not found]
"dhgwqyp" = "c:\winnt\bqeqaso.exe" [file not found]
"fvasaid" = "c:\winnt\bqeqaso.exe" [file not found]
"hnkqnsd" = "c:\winnt\bqeqaso.exe" [file not found]
"rknevxu" = "c:\winnt\bqeqaso.exe" [file not found]
"nftagqo" = "c:\winnt\bqeqaso.exe" [file not found]
"iiddptl" = "c:\winnt\bqeqaso.exe" [file not found]
"cyefhug" = "c:\winnt\bqeqaso.exe" [file not found]
"nccemra" = "c:\winnt\bqeqaso.exe" [file not found]
"lxnrooy" = "c:\winnt\bqeqaso.exe" [file not found]
"fmcwfkq" = "c:\winnt\bqeqaso.exe" [file not found]
"enqkyeq" = "c:\winnt\bqeqaso.exe" [file not found]
"fjekmkd" = "c:\winnt\bqeqaso.exe" [file not found]
"lwqcotb" = "c:\winnt\bqeqaso.exe" [file not found]
"uqbcovj" = "c:\winnt\bqeqaso.exe" [file not found]
"mgxsvch" = "c:\winnt\bqeqaso.exe" [file not found]
"cvuqaey" = "c:\winnt\bqeqaso.exe" [file not found]
"orvetwg" = "c:\winnt\bqeqaso.exe" [file not found]
"sjudger" = "c:\winnt\bqeqaso.exe" [file not found]
"sjpsouo" = "c:\winnt\bqeqaso.exe" [file not found]
"dtqflrv" = "c:\winnt\umetjwa.exe" [file not found]
"qqpiptd" = "c:\winnt\wbednct.exe" [file not found]
"fvimgni" = "c:\winnt\ejounne.exe" [file not found]
"dfrkged" = "c:\winnt\umetjwa.exe" [file not found]
"djhtbnv" = "c:\winnt\wbednct.exe" [file not found]
"ucjnhnx" = "c:\winnt\ejounne.exe" [file not found]
"qqvrspj" = "c:\winnt\wbednct.exe" [file not found]
"rkkubkc" = "c:\winnt\umetjwa.exe" [file not found]
"rehlsww" = "c:\winnt\ejounne.exe" [file not found]
"nmfhyhl" = "c:\winnt\wbednct.exe" [file not found]
"rlschev" = "c:\winnt\umetjwa.exe" [file not found]
"krfsrhy" = "c:\winnt\wbednct.exe" [file not found]
"xcluqra" = "c:\winnt\umetjwa.exe" [file not found]
"xlwmeij" = "c:\winnt\wbednct.exe" [file not found]
"jgrsahx" = "c:\winnt\umetjwa.exe" [file not found]
"qjfpjbr" = "c:\winnt\wbednct.exe" [file not found]
"iaylofm" = "c:\winnt\umetjwa.exe" [file not found]
"sgsfqaw" = "c:\winnt\vixwkwk.exe" [file not found]
"rjeniur" = "c:\winnt\vixwkwk.exe" [file not found]
"plbiyiv" = "c:\winnt\vixwkwk.exe" [file not found]
"aejqtjp" = "c:\winnt\vixwkwk.exe" [file not found]
"knneiyb" = "c:\winnt\vixwkwk.exe" [file not found]
"fmyeurc" = "c:\winnt\vixwkwk.exe" [file not found]
"dpyujba" = "c:\winnt\vixwkwk.exe" [file not found]
"jhnbqus" = "c:\winnt\vixwkwk.exe" [file not found]
"filddik" = "c:\winnt\vixwkwk.exe" [file not found]
"ayelfgb" = "c:\winnt\vixwkwk.exe" [file not found]
"tqutdfw" = "c:\winnt\vixwkwk.exe" [file not found]
"iygbtor" = "c:\winnt\vixwkwk.exe" [file not found]
"lluvtqb" = "c:\winnt\vixwkwk.exe" [file not found]
"nycaakt" = "c:\winnt\vixwkwk.exe" [file not found]
"gmouinj" = "c:\winnt\vixwkwk.exe" [file not found]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Synchronization Manager" = "mobsync.exe /logon" [MS]
"ccApp" = ""C:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"URLLSTCK.exe" = "C:\Program Files\Norton Internet Security\UrlLstCk.exe" ["Symantec Corporation"]
"REGSHAVE" = "C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN" ["FUJI PHOTO FILM CO., LTD."]
"AOLDialer" = "C:\Program Files\Common Files\AOL\ACS\AOLDial.exe" ["America Online, Inc"]
"QuickTime Task" = ""C:\Program Files\QuickTime\qttask.exe" -atboottime" ["Apple Computer, Inc."]
"AOL Spyware Protection" = ""C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"" [null data]
"SpyHunter" = ** WARNING! empty or invalid data **
"SSC_UserPrompt" = "C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe" ["Symantec Corporation"]
"TkBellExe" = ""C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot" ["RealNetworks, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{06849E9F-C8D7-4D59-B87D-784B7D6BE0B3}\(Default) = "AcroIEHlprObj Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Adobe\Acrobat 6.0\Reader\ActiveX\AcroIEHelper.dll" ["Adobe Systems Incorporated"]
{9ECB9560-04F9-4bbc-943D-298DDF1699E1}\(Default) = "CNisExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]
{AA58ED58-01DD-4d91-8333-CF10577473F7}\(Default) = "Google Toolbar Helper" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]
{BDF3E430-B101-42AD-A544-FADC6B084872}\(Default) = "CNavExtBho Class" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\hticons.dll" ["Hilgraeve, Inc."]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\Downloaded Program Files\ymmapi.dll" ["Yahoo! Inc."]
"{F0CB00CD-5A07-4D91-97F5-A8C92CDA93E4}" = "Shell Extensions for RealOne Player"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Real\RealPlayer\rpshell.dll" ["RealNetworks, Inc."]
"{E0D79304-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79305-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79306-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]
"{E0D79307-84BE-11CE-9641-444553540000}" = "WinZip"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\WINZIP\WZSHLSTB.DLL" ["WinZip Computing, Inc."]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\ShellExecuteHooks\
INFECTION WARNING! "{54D9498B-CF93-414F-8984-8CE7FDE0D391}" = "ewido shell guard"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\ewido\security suite\shellhook.dll" ["TODO: <Firmenname>"]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]


Enabled Screen Saver:
---------------------

HKCU\Control Panel\Desktop\
"SCRNSAVE.EXE" = "(NONE)" [file not found]


Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is enabled.


Startup items in "Administrator" & "All Users" startup folders:
---------------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"AOL Companion" -> shortcut to: "C:\Program Files\AOL Companion\companion.exe /s" [null data]
"AOL Tray Icon" -> shortcut to: "C:\Program Files\AOL 9.0\aoltray.exe -check" ["America Online, Inc."]
"Exif Launcher" -> shortcut to: "C:\Program Files\FinePixViewer\QuickDCF.exe" ["FUJI PHOTO FILM CO., LTD."]
"WinZip Quick Pick" -> shortcut to: "C:\Program Files\WinZip\WZQKPICK.EXE" ["WinZip Computing, Inc."]


Enabled Scheduled Tasks:
------------------------

"Norton AntiVirus - Scan my computer - Administrator" -> launches: "C:\PROGRA~1\NORTON~1\NORTON~1\Navw32.exe /task:"C:\Documents and Settings\All Users\Application Data\Symantec\Norton AntiVirus\Tasks\mycomp.sca"" ["Symantec Corporation"]
"Symantec NetDetect" -> launches: "C:\Program Files\Symantec\LiveUpdate\NDETECT.EXE" ["Symantec Corporation"]


Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\rnr20.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\msafd.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05


Toolbars, Explorer Bars, Extensions:
------------------------------------

Toolbars

HKCU\Software\Microsoft\Internet Explorer\Toolbar\ShellBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

HKCU\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser\
"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Web assistant"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

HKLM\Software\Microsoft\Internet Explorer\Toolbar\
"{0B53EAC3-8D69-4B9E-9B19-A37C9A5676A7}"
-> {CLSID}\(Default) = "Web assistant"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Symantec Shared\AdBlocking\NISShExt.dll" ["Symantec Corporation"]

"{42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6}"
-> {CLSID}\(Default) = "Norton AntiVirus"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Norton Internet Security\Norton AntiVirus\NavShExt.dll" ["Symantec Corporation"]

"{2318C2B1-4965-11D4-9B18-009027A5CD4F}"
-> {CLSID}\(Default) = "&Google"
-> {CLSID}\InProcServer32\(Default) = "c:\program files\google\googletoolbar2.dll" ["Google Inc."]

Explorer Bars

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{FE54FA40-D68C-11D2-98FA-00C0F0318AFE}\
-> {CLSID}\(Default) = "Real.com"
-> {CLSID}\InProcServer32\(Default) = "C:\WINNT\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{FF059E31-CC5A-4E2E-BF3B-96E929D65503}\
(Default) = "&Research"
Implemented Categories\{00021493-0000-0000-C000-000000000046}\ [vertical bar]
InProcServer32\(Default) = "C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL" [MS]

Extensions (Tools menu items, main toolbar menu buttons)

HKLM\Software\Microsoft\Internet Explorer\Extensions\
{92780B25-18CC-41C8-B9BE-3C9C571A8263}\
"ButtonText" = "Research"

{CD67F990-D8E9-11D2-98FE-00C0F0318AFE}\
"ButtonText" = "Real.com"


Running Services (Display Name, Service Name, Path {Service DLL}):
------------------------------------------------------------------

AOL Connectivity Service, AOL ACS, "C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe" ["America Online, Inc."]
ewido security suite control, ewido security suite control, "C:\Program Files\ewido\security suite\ewidoctrl.exe" ["ewido networks"]
ewido security suite guard, ewido security suite guard, "C:\Program Files\ewido\security suite\ewidoguard.exe" ["ewido networks"]
MSSQL$MICROSOFTBCM, MSSQL$MICROSOFTBCM, "C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe -sMICROSOFTBCM" [MS]
Symantec Core LC, Symantec Core LC, "C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe" ["Symantec Corporation"]
Symantec Event Manager, ccEvtMgr, ""C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe"" ["Symantec Corporation"]
Symantec Network Drivers Service, SNDSrvc, "C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe" ["Symantec Corporation"]
Symantec Network Proxy, ccProxy, ""C:\Program Files\Common Files\Symantec Shared\ccProxy.exe"" ["Symantec Corporation"]
Symantec Settings Manager, ccSetMgr, ""C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe"" ["Symantec Corporation"]


----------
This report excludes default entries except where indicated.
To see *everywhere* the script checks and *everything* it finds,
launch it from a command prompt or a shortcut with the -all parameter.
----------



HJT




StartupList report, 5/8/2005, 7:14:17 PM
StartupList version: 1.52.2
Started from : C:\Program Files\HJT\HijackThis.EXE
Detected: Windows 2000 SP3 (WinNT 5.00.2195)
Detected: Internet Explorer v6.00 SP1 (6.00.2800.1106)
* Using default options
* Including empty and uninteresting sections
* Showing rarely important sections
==================================================

Running processes:

C:\WINNT\System32\smss.exe
C:\WINNT\system32\winlogon.exe
C:\WINNT\system32\services.exe
C:\WINNT\system32\lsass.exe
C:\WINNT\system32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINNT\system32\spoolsv.exe
C:\PROGRA~1\COMMON~1\AOL\ACS\AOLacsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\WINNT\System32\svchost.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Microsoft SQL Server\MSSQL$MICROSOFTBCM\Binn\sqlservr.exe
C:\WINNT\system32\regsvc.exe
C:\WINNT\system32\MSTask.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINNT\System32\WBEM\WinMgmt.exe
C:\WINNT\System32\mspmspsv.exe
C:\WINNT\system32\svchost.exe
C:\WINNT\System32\svchost.exe
C:\WINNT\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\QuickTime\qttask.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINNT\System32\internat.exe
C:\Program Files\AOL Companion\companion.exe
C:\Program Files\AOL 9.0\aoltray.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\WinZip\WZQKPICK.EXE
C:\WINNT\system32\NOTEPAD.EXE
C:\WINNT\System32\wuauclt.exe
C:\Program Files\HJT\HijackThis.exe

--------------------------------------------------

Listing of startup folders:

Shell folders Startup:
[C:\Documents and Settings\Administrator\Start Menu\Programs\Startup]
*No files*

Shell folders AltStartup:
*Folder not found*

User shell folders Startup:
*Folder not found*

User shell folders AltStartup:
*Folder not found*

Shell folders Common Startup:
[C:\Documents and Settings\All Users\Start Menu\Programs\Startup]
AOL Companion.lnk = C:\Program Files\AOL Companion\companion.exe
AOL Tray Icon.lnk = C:\Program Files\AOL 9.0\aoltray.exe
Exif Launcher.lnk = C:\Program Files\FinePixViewer\QuickDCF.exe
WinZip Quick Pick.lnk = C:\Program Files\WinZip\WZQKPICK.EXE

Shell folders Common AltStartup:
*Folder not found*

User shell folders Common Startup:
*Folder not found*

User shell folders Alternate Common Startup:
*Folder not found*

--------------------------------------------------

Checking Windows NT UserInit:

[HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
UserInit = C:\WINNT\system32\userinit.exe,

[HKLM\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

[HKCU\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
*Registry value not found*

[HKCU\Software\Microsoft\Windows\CurrentVersion\Winlogon]
*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Synchronization Manager = mobsync.exe /logon
ccApp = "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
URLLSTCK.exe = C:\Program Files\Norton Internet Security\UrlLstCk.exe
REGSHAVE = C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
AOLDialer = C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
QuickTime Task = "C:\Program Files\QuickTime\qttask.exe" -atboottime
AOL Spyware Protection = "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
SpyHunter =
SSC_UserPrompt = C:\Program Files\Common Files\Symantec Shared\Security Center\UsrPrmpt.exe
TkBellExe = "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run

internat.exe = internat.exe
wymrvfy = c:\winnt\ohrxdnu.exe
hesakcb = c:\winnt\ohrxdnu.exe
ydvxcka = c:\winnt\ohrxdnu.exe
bspjlog = c:\winnt\ohrxdnu.exe
avqdivq = c:\winnt\ohrxdnu.exe
hkokhoj = c:\winnt\ohrxdnu.exe
ywpenwu = c:\winnt\ohrxdnu.exe
sujqtiv = c:\winnt\ohrxdnu.exe
eqdolgd = c:\winnt\ohrxdnu.exe
kkuqlgl = c:\winnt\ohrxdnu.exe
ubmndea = c:\winnt\ohrxdnu.exe
oiqdlto = c:\winnt\ohrxdnu.exe
erfpphm = c:\winnt\ohrxdnu.exe
mpmgqvd = c:\winnt\ohrxdnu.exe
wjxowql = c:\winnt\ohrxdnu.exe
umyagtg = c:\winnt\ohrxdnu.exe
fcbmsce = c:\winnt\ohrxdnu.exe
pakynre = c:\winnt\ohrxdnu.exe
qvuufop = c:\winnt\ohrxdnu.exe
mxmshow = c:\winnt\ohrxdnu.exe
nptykyg = c:\winnt\ohrxdnu.exe
icmvgda = c:\winnt\ohrxdnu.exe
caqmvwi = c:\winnt\kadtfeo.exe
ikihvdc = c:\winnt\kadtfeo.exe
hewqaos = c:\winnt\kadtfeo.exe
pswrdvo = c:\winnt\kadtfeo.exe
snhfutt = c:\winnt\kadtfeo.exe
jjxgtvm = c:\winnt\kadtfeo.exe
vtpdses = c:\winnt\kadtfeo.exe
bsgjfye = c:\winnt\kadtfeo.exe
udqxvbl = c:\winnt\kadtfeo.exe
hitasut = c:\winnt\cnurihq.exe
jmesujl = c:\winnt\cnurihq.exe
jgutffg = c:\winnt\cnurihq.exe
teltnsp = c:\winnt\cnurihq.exe
owurqis = c:\winnt\cnurihq.exe
qusxoeo = c:\winnt\cnurihq.exe
hkrttta = c:\winnt\cnurihq.exe
qskudot = c:\winnt\cnurihq.exe
pbjitog = c:\winnt\cnurihq.exe
midmbwv = c:\winnt\cnurihq.exe
fhrfkxp = c:\winnt\cnurihq.exe
oaiaedw = c:\winnt\cnurihq.exe
vvdlmjc = c:\winnt\cnurihq.exe
rnvwyba = c:\winnt\cnurihq.exe
ojmpnwk = c:\winnt\cnurihq.exe
hbsfrhw = c:\winnt\cnurihq.exe
gggggxo = c:\winnt\cnurihq.exe
huqcsgj = c:\winnt\cnurihq.exe
irrccpu = c:\winnt\cnurihq.exe
uwjvnln = c:\winnt\cnurihq.exe
epsrjti = c:\winnt\mwiswfo.exe
ffihdnc = c:\winnt\mwiswfo.exe
oohanrj = c:\winnt\mwiswfo.exe
gisvghe = c:\winnt\mwiswfo.exe
jusdyqg = c:\winnt\mwiswfo.exe
ukohfei = c:\winnt\mwiswfo.exe
tupyrsn = c:\winnt\mwiswfo.exe
drasegk = c:\winnt\mwiswfo.exe
tradkou = c:\winnt\mwiswfo.exe
yccsets = c:\winnt\mwiswfo.exe
iwlbnvs = c:\winnt\mwiswfo.exe
vxslbei = c:\winnt\mwiswfo.exe
bitkaqt = c:\winnt\mwiswfo.exe
bwuykvd = c:\winnt\mwiswfo.exe
cfkixgk = c:\winnt\mwiswfo.exe
xsqqpoq = c:\winnt\mwiswfo.exe
thbfpfl = c:\winnt\mwiswfo.exe
kibuwdc = c:\winnt\mwiswfo.exe
fsqowsf = c:\winnt\mwiswfo.exe
evedfyu = c:\winnt\mwiswfo.exe
jlyotdv = c:\winnt\mwiswfo.exe
efvahem = c:\winnt\mwiswfo.exe
owccmuo = c:\winnt\mwiswfo.exe
miivuet = c:\winnt\mwiswfo.exe
wkekaan = c:\winnt\mwiswfo.exe
qgssfdo = c:\winnt\mwiswfo.exe
vcevdfm = c:\winnt\mwiswfo.exe
nxptycu = c:\winnt\mwiswfo.exe
oqsbtmi = c:\winnt\mwiswfo.exe
ppkcjsk = c:\winnt\mwiswfo.exe
qqvqiws = c:\winnt\mwiswfo.exe
hkqefaf = c:\winnt\mwiswfo.exe
dxeoely = c:\winnt\mwiswfo.exe
pnitcho = c:\winnt\mwiswfo.exe
arrgjre = c:\winnt\mwiswfo.exe
ealmrwc = c:\winnt\mwiswfo.exe
cpbglvh = c:\winnt\mwiswfo.exe
sderaly = c:\winnt\mwiswfo.exe
ixuotoq = c:\winnt\mwiswfo.exe
gxxvlnf = c:\winnt\mwiswfo.exe
pdocqpn = c:\winnt\mwiswfo.exe
jdrqpmh = c:\winnt\mwiswfo.exe
irldsix = c:\winnt\mwiswfo.exe
evpbhwi = c:\winnt\mwiswfo.exe
kmukorg = c:\winnt\mwiswfo.exe
yqwjghr = c:\winnt\mwiswfo.exe
tdkibxe = c:\winnt\mwiswfo.exe
uqwcupk = c:\winnt\mwiswfo.exe
fxupxlb = c:\winnt\mwiswfo.exe
ffryjpl = c:\winnt\mwiswfo.exe
aamwhmn = c:\winnt\mwiswfo.exe
vagjdka = c:\winnt\mwiswfo.exe
llqqdhj = c:\winnt\mwiswfo.exe
afcwccw = c:\winnt\imujmni.exe
rpekvgf = c:\winnt\imujmni.exe
oihmkve = c:\winnt\imujmni.exe
gnhpayx = c:\winnt\imujmni.exe
whlinpb = c:\winnt\imujmni.exe
dsfsofp = c:\winnt\imujmni.exe
hijxopg = c:\winnt\imujmni.exe
oscuxms = c:\winnt\imujmni.exe
lpihaxe = c:\winnt\imujmni.exe
vysgsjv = c:\winnt\imujmni.exe
nmsgloc = c:\winnt\imujmni.exe
qwobeto = c:\winnt\imujmni.exe
bhjdena = c:\winnt\imujmni.exe
eirpatk = c:\winnt\imujmni.exe
mrbqxia = c:\winnt\imujmni.exe
hxkiejj = c:\winnt\imujmni.exe
pirjqon = c:\winnt\imujmni.exe
mdhfpkf = c:\winnt\imujmni.exe
wutvhqw = c:\winnt\imujmni.exe
hoowwkq = c:\winnt\imujmni.exe
eiwodod = c:\winnt\imujmni.exe
qhiboty = c:\winnt\imujmni.exe
inslqeq = c:\winnt\imujmni.exe
jgwkkwj = c:\winnt\imujmni.exe
orvtosm = c:\winnt\imujmni.exe
wbmhbtg = c:\winnt\imujmni.exe
chrohsl = c:\winnt\imujmni.exe
amuklml = c:\winnt\imujmni.exe
rflurmo = c:\winnt\imujmni.exe
vgfgnjm = c:\winnt\imujmni.exe
hlrhbao = c:\winnt\imujmni.exe
wfsdpsf = c:\winnt\imujmni.exe
xmcoxwd = c:\winnt\imujmni.exe
jdwxouv = c:\winnt\imujmni.exe
xeemdag = c:\winnt\imujmni.exe
khkiefh = c:\winnt\imujmni.exe
yvtompe = c:\winnt\imujmni.exe
tbcflen = c:\winnt\imujmni.exe
ysulbxi = c:\winnt\imujmni.exe
tpamgwd = c:\winnt\imujmni.exe
uoohbgi = c:\winnt\imujmni.exe
oboluvm = c:\winnt\imujmni.exe
amkqjqn = c:\winnt\imujmni.exe
ygxgiid = c:\winnt\imujmni.exe
fbcwgnt = c:\winnt\imujmni.exe
gwdvyel = c:\winnt\imujmni.exe
ulmnxsv = c:\winnt\imujmni.exe
uiodpbx = c:\winnt\imujmni.exe
jeotdpd = c:\winnt\imujmni.exe
oryhxba = c:\winnt\imujmni.exe
qhlpjcl = c:\winnt\imujmni.exe
ihxynbh = c:\winnt\imujmni.exe
ypfgilf = c:\winnt\imujmni.exe
denqjrj = c:\winnt\imujmni.exe
pcafyfo = c:\winnt\imujmni.exe
gfrqsgq = c:\winnt\imujmni.exe
njqhyln = c:\winnt\imujmni.exe
cgjumje = c:\winnt\imujmni.exe
ljdsurf = c:\winnt\imujmni.exe
kwrxybb = c:\winnt\imujmni.exe
yaxioqp = c:\winnt\imujmni.exe
mlkbmhs = c:\winnt\imujmni.exe
kysmeto = c:\winnt\imujmni.exe
oiqbvwd = c:\winnt\imujmni.exe
rntgpqb = c:\winnt\imujmni.exe
qvrixmm = c:\winnt\imujmni.exe
ajmakbk = c:\winnt\imujmni.exe
paavjfn = c:\winnt\imujmni.exe
axeuyjp = c:\winnt\bghxjvw.exe
wpjixev = c:\winnt\bghxjvw.exe
pnwcjom = c:\winnt\bghxjvw.exe
iviavgl = c:\winnt\bghxjvw.exe
ramibwu = c:\winnt\bghxjvw.exe
oxrebmb = c:\winnt\bghxjvw.exe
osonrdl = c:\winnt\bghxjvw.exe
ajpcfpt = c:\winnt\bghxjvw.exe
nbbonej = c:\winnt\bghxjvw.exe
shyrsia = c:\winnt\bghxjvw.exe
ayfgydw = c:\winnt\bghxjvw.exe
shvmuhe = c:\winnt\bghxjvw.exe
ixdtnen = c:\winnt\bghxjvw.exe
njectjw = c:\winnt\bghxjvw.exe
hfvlbjo = c:\winnt\bghxjvw.exe
khhtxlj = c:\winnt\bghxjvw.exe
ramyspf = c:\winnt\bghxjvw.exe
jsjvfef = c:\winnt\bghxjvw.exe
yjfdygd = c:\winnt\bghxjvw.exe
ytlsqwl = c:\winnt\bghxjvw.exe
lrvctym = c:\winnt\bghxjvw.exe
ptacsln = c:\winnt\bghxjvw.exe
wxhtffd = c:\winnt\bghxjvw.exe
ixkggsa = c:\winnt\bghxjvw.exe
eohpqwk = c:\winnt\bghxjvw.exe
gvvhbqu = c:\winnt\bghxjvw.exe
udayxsp = c:\winnt\bghxjvw.exe
dnmsbcw = c:\winnt\bghxjvw.exe
cemsnpb = c:\winnt\bghxjvw.exe
yxnxslo = c:\winnt\bqeqaso.exe
hrggukd = c:\winnt\bqeqaso.exe
dhgwqyp = c:\winnt\bqeqaso.exe
fvasaid = c:\winnt\bqeqaso.exe
hnkqnsd = c:\winnt\bqeqaso.exe
rknevxu = c:\winnt\bqeqaso.exe
nftagqo = c:\winnt\bqeqaso.exe
iiddptl = c:\winnt\bqeqaso.exe
cyefhug = c:\winnt\bqeqaso.exe
nccemra = c:\winnt\bqeqaso.exe
lxnrooy = c:\winnt\bqeqaso.exe
fmcwfkq = c:\winnt\bqeqaso.exe
enqkyeq = c:\winnt\bqeqaso.exe
fjekmkd = c:\winnt\bqeqaso.exe
lwqcotb = c:\winnt\bqeqaso.exe
uqbcovj = c:\winnt\bqeqaso.exe
mgxsvch = c:\winnt\bqeqaso.exe
cvuqaey = c:\winnt\bqeqaso.exe
orvetwg = c:\winnt\bqeqaso.exe
sjudger = c:\winnt\bqeqaso.exe
sjpsouo = c:\winnt\bqeqaso.exe
dtqflrv = c:\winnt\umetjwa.exe
qqpiptd = c:\winnt\wbednct.exe
fvimgni = c:\winnt\ejounne.exe
dfrkged = c:\winnt\umetjwa.exe
djhtbnv = c:\winnt\wbednct.exe
ucjnhnx = c:\winnt\ejounne.exe
qqvrspj = c:\winnt\wbednct.exe
rkkubkc = c:\winnt\umetjwa.exe
rehlsww = c:\winnt\ejounne.exe
nmfhyhl = c:\winnt\wbednct.exe
rlschev = c:\winnt\umetjwa.exe
krfsrhy = c:\winnt\wbednct.exe
xcluqra = c:\winnt\umetjwa.exe
xlwmeij = c:\winnt\wbednct.exe
jgrsahx = c:\winnt\umetjwa.exe
qjfpjbr = c:\winnt\wbednct.exe
iaylofm = c:\winnt\umetjwa.exe
sgsfqaw = c:\winnt\vixwkwk.exe
rjeniur = c:\winnt\vixwkwk.exe
plbiyiv = c:\winnt\vixwkwk.exe
aejqtjp = c:\winnt\vixwkwk.exe
knneiyb = c:\winnt\vixwkwk.exe
fmyeurc = c:\winnt\vixwkwk.exe
dpyujba = c:\winnt\vixwkwk.exe
jhnbqus = c:\winnt\vixwkwk.exe
filddik = c:\winnt\vixwkwk.exe
ayelfgb = c:\winnt\vixwkwk.exe
tqutdfw = c:\winnt\vixwkwk.exe
iygbtor = c:\winnt\vixwkwk.exe
lluvtqb = c:\winnt\vixwkwk.exe
nycaakt = c:\winnt\vixwkwk.exe
gmouinj = c:\winnt\vixwkwk.exe

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

*No values found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries from Registry:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run

*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

[OptionalComponents]
*No values found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce
*No subkeys found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnceEx
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServices
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

Autorun entries in Registry subkeys of:
HKCU\Software\Microsoft\Windows NT\CurrentVersion\Run
*Registry key not found*

--------------------------------------------------

File association entry for .EXE:
HKEY_CLASSES_ROOT\exefile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .COM:
HKEY_CLASSES_ROOT\comfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .BAT:
HKEY_CLASSES_ROOT\batfile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .PIF:
HKEY_CLASSES_ROOT\piffile\shell\open\command

(Default) = "%1" %*

--------------------------------------------------

File association entry for .SCR:
HKEY_CLASSES_ROOT\scrfile\shell\open\command

(Default) = "%1" /S

--------------------------------------------------

File association entry for .HTA:
HKEY_CLASSES_ROOT\htafile\shell\open\command

(Default) = C:\WINNT\System32\mshta.exe "%1" %*

--------------------------------------------------

File association entry for .TXT:
HKEY_CLASSES_ROOT\txtfile\shell\open\command

(Default) = %SystemRoot%\system32\NOTEPAD.EXE %1

--------------------------------------------------

Enumerating Active Setup stub paths:
HKLM\Software\Microsoft\Active Setup\Installed Components
(* = disabled by HKCU twin)

[>{26923b43-4d38-484f-9b9e-de460746276c}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigIE

[>{6D673AA6-C360-4AAC-8413-A284A257EA90}] *
StubPath = RunDLL32 IEDKCS32.DLL,BrandIE4 SIGNUP

[>{881dd1c5-3dcf-431b-b061-f3f88e8be88a}] *
StubPath = "C:\WINNT\System32\shmgrate.exe" OCInstallUserConfigOE

[{22d6f312-b0f6-11d0-94ab-0080c74c7e95}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\mplayer2.inf,PerUserStub.NT

[{44BBA840-CC51-11CF-AAFA-00AA00B6015C}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:OE /CALLER:WINNT /user /install

[{44BBA842-CC51-11CF-AAFA-00AA00B6015B}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\msnetmtg.inf,NetMtg.Install.PerUser.NT

[{6A5110B5-E14B-4268-A065-EF89FF33C325}] *
StubPath = regsvr32.exe /s /n /i:"S 2 true 3 true 4 true 5 true 6 true 7 true" initpki.dll

[{6BF52A52-394A-11d3-B153-00C04F79FAA6}] *
StubPath = rundll32.exe advpack.dll,LaunchINFSection C:\WINNT\INF\wmp.inf,PerUserStub

[{7790769C-0471-11d2-AF11-00C04FA35D02}] *
StubPath = "%ProgramFiles%\Outlook Express\setup50.exe" /APP:WAB /CALLER:WINNT /user /install

[{89820200-ECBD-11cf-8B85-00AA005B4340}] *
StubPath = regsvr32.exe /s /n /i:U shell32.dll

[{89820200-ECBD-11cf-8B85-00AA005B4383}] *
StubPath = %SystemRoot%\System32\ie4uinit.exe

[{89B4C1CD-B018-4511-B0A1-5476DBF70820}] *
StubPath = C:\WINNT\System32\Rundll32.exe C:\WINNT\System32\mscories.dll,Install

[{9EF0045A-CDD9-438e-95E6-02B9AFEC8E11}] *
StubPath = %SystemRoot%\System32\updcrl.exe -e -u %SystemRoot%\System32\verisignpub1.crl

--------------------------------------------------

Enumerating ICQ Agent Autostart apps:
HKCU\Software\Mirabilis\ICQ\Agent\Apps

*Registry key not found*

--------------------------------------------------

Load/Run keys from C:\WINNT\WIN.INI:

load=*INI section not found*
run=*INI section not found*

Load/Run keys from Registry:

HKLM\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKLM\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKLM\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: load=*Registry value not found*
HKCU\..\Windows NT\CurrentVersion\WinLogon: run=*Registry value not found*
HKCU\..\Windows\CurrentVersion\WinLogon: load=*Registry key not found*
HKCU\..\Windows\CurrentVersion\WinLogon: run=*Registry key not found*
HKCU\..\Windows NT\CurrentVersion\Windows: load=
HKCU\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: load=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: run=*Registry value not found*
HKLM\..\Windows NT\CurrentVersion\Windows: AppInit_DLLs=

------------
  • 0

#15
g2i2r4
Posted 08 May 2005 - 01:52 PM

g2i2r4

    retired HiJack Helper

  • Retired Staff
  • 5,080 posts
Please remove Spy Hunter completely from your computer.
Read more about it on this page.

Then reboot.


Right click here and click Save Target As. Save the file to your desktop. Double click on the file you saved to run it. It will ask you if you want to merge it with your registry. Click Yes and then Ok on the confirmation. You will have to reboot for this to take effect..

Please do an online scan, 2 would be better,

Trend Micro Housecall
Panda online scan

Make sure that you choose "fix" or "clean".

Save the results from the scan!

Post me a fresh log using HijackThis and the results from the scan.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP